Vul4J+ is a dataset of vulnerability fixes for automated vulnerability repair (AVR) in Java. Each entry of the dataset represents a vulnerability affecting an open-source Java project, having reference to the commit (revision) containing the code affected by the vulnerability and its version fixed by a human developer (the "left" and "right" parts of the commit). Each vulnerability is equipped with at least one "oracle" that shows the presence of the vulnerability, and that can be used to validate the correctness of patches generated by AVR tools. This "oracle" might have the form of a:
- Vulnerability-witnessing test, i.e., a JUnit test case that fails on the vulnerable version of the code but passes on the patched version.
- Warning/report raised by a vulnerability static analyzer, i.e., SpotBugs, that is presented in the vulnerable version of the code but not in the patched version.
In essence, Vul4J+ is a cleaned up and extended version of Vul4J containing:
- 106 known vulnerabilities with executable vulnerability-witnessing test cases in Docker containers and warnings (reports) from SpotBugs static analyzer (if found);
- 79 come from the original Vul4J;
- 27 result from the replication of the same protocol used in the original Vul4J;
- 50 vulnerabilities stored in Docker containers with the warnings (reports) from SpotBugs static analyzer ;
- 35 known vulnerabilities matched with vulnerability-witnessing test cases retrieved from projects in the wild.
In total, Vul4J+ points to 191 vulnerabilities, each with at least one vulnerability oracle.
Link to the dataset: https://zenodo.org/records/13752193